Task #100295
Updated by Torben Hansen over 1 year ago
If for any reason no password policy is defined in @$GLOBALS['TYPO3_CONF_VARS']['BE']['passwordPolicy']@, it is possible for a user to submit an empty password, if the @required@ attribute of the new password fields in the password reset form is manually removed. TYPO3 will then save an empty password for the user. Although it is not possible to login to TYPO3 with an empty password, a fallback check for an empty password must be added to @resetPassword@ in @TYPO3\CMS\Backend\Authentication\PasswordReset@. @TYPO3\CMS\Backend\Authentication\ResetPasswort@.